Description
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, when `APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS` is enabled, direct conversation view correctly blocks users who are neither the assignee nor the creator. The `save_draft` AJAX path is weaker. A direct POST can create a draft inside a conversation that is hidden in the UI. Version 1.8.215 fixes the vulnerability.
Published: 2026-04-21
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized draft creation in hidden conversations enabling data injection and potential disclosure
Action: Immediate Patch
AI Analysis

Impact

FreeScout allows an authenticated user to POST to the save_draft AJAX endpoint, bypassing the APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS setting. This lets non‑assignees or non‑creators create drafts inside conversations that the UI hides, providing a covert channel for data injection and potential information disclosure. The flaw corresponds to CWE‑863, unchecked ownership of resources.

Affected Systems

The vulnerability affects versions of FreeScout below 1.8.215, specifically the freescout-help-desk:freescout product. Any deployment running an older release has the risk.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate to high severity. The EPSS score is not available, so the probability of exploitation is unknown but anonymity of the endpoint may limit exposure. The vulnerability is not listed in CISA KEV. An attacker would need authenticated access and could target the /save_draft endpoint by sending a POST request, exploiting the lack of visibility checks.

Generated by OpenCVE AI on April 21, 2026 at 22:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update FreeScout to version 1.8.215 or later to receive the fix that restores visibility checks on draft creation.
  • If an update is not immediately possible, temporarily disable the APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS configuration or restrict write permissions on the /save_draft endpoint to assigned or creator users.
  • Ensure that no other exposed API endpoints can be used to create or modify hidden conversation drafts; audit access controls accordingly.

Generated by OpenCVE AI on April 21, 2026 at 22:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Freescout Helpdesk
Freescout Helpdesk freescout
Vendors & Products Freescout Helpdesk
Freescout Helpdesk freescout
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Description FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, when `APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS` is enabled, direct conversation view correctly blocks users who are neither the assignee nor the creator. The `save_draft` AJAX path is weaker. A direct POST can create a draft inside a conversation that is hidden in the UI. Version 1.8.215 fixes the vulnerability.
Title FreeScout has assigned-only visibility bypass via save_draft that allows hidden conversation draft injection
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N'}

Subscriptions

Freescout Helpdesk Freescout
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T17:48:06.353Z

Reserved: 2026-04-18T02:51:52.972Z

Link: CVE-2026-41190

cve-icon Vulnrichment

Updated: 2026-04-21T17:48:01.478Z

cve-icon NVD

Status : Received

Published: 2026-04-21T17:16:57.510

Modified: 2026-04-21T17:16:57.510

Link: CVE-2026-41190

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:45:16Z

Weaknesses